dragonfly icon indicating copy to clipboard operation
dragonfly copied to clipboard
verified publisher icon dragonflydb

Unpatched Redis Sources (CVE-2022-33105)

Open Garnik645 opened this issue 1 year ago • 1 comments

The master branch of the dragonfly project contains unpatched sources from redis, in which CVE-2022-33105 was reported with high severity. The function streamGetEdgeID from dragonfly/src/redis/t_stream.c does not include patches and updates available in newer versions of redis, which can cause a memory leak. The fix for CVE can be found in this commit: redis commit.

To ensure that all patches are applied, I recommend updating the redis files in the dragonfly project to the latest version.

My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.

Garnik645 avatar Sep 30 '24 10:09 Garnik645

Thanks for reporting this, we will sync t_stream with Valkey OSS.

romange avatar Sep 30 '24 10:09 romange

@adiholden we should schedule this task at some point

romange avatar Nov 20 '24 07:11 romange